Seclog - #137

RosecurifyRosecurify
3 min read

"The enemy does not care what systems were in scope for testing. Protect your weak points." - The Art of Cyber War

  • Executing arbitrary Python code from a comment

  • Cloud Build Race Condition Bypass โ€“ A subtle race condition in Google Cloud Build's GitHub integration could bypass maintainer review for pull request tests, highlighting critical access control risks in CI/CD systems. Read More

  • CrushFTP RCE via DMZ Proxy Flaw โ€“ CVE-2025-54309 exploited security check failures in CrushFTP's DMZ proxy, bypassing protections for the internal admin server. Read More

  • Hijacking Multi-Agent System Risks โ€“ Multi-agent systems (MASs) face failures from unknown components, paralleling distributed system vulnerabilities, enabling new exploit avenues. Read More

  • PyPI Phishing Attack Incident Report โ€“ A recent campaign targeted PyPI users via email, prompting awareness and initial details about the attack vector. Read More

  • AI Prompt Injection Risks and Mitigation โ€“ With rising LLM adoption, prompt injection poses new threats; an example illustrates real-world exploitation and defensive strategies. Read More

  • Pixel 8 Kernel Debugging via KGDB Guide โ€“ Techniques include building custom kernels, breaking into KGDB using ADB or serial connections, and attaching GDB for debugging. Read More

  • Semgrep Adoption Strategies and MAS Risks โ€“ Introducing Semgrep requires organizational planning for security gains, while multi-agent systems face distributed failure risks akin to traditional infrastructure. [Read More](https://blog.trailofbits.com/2024/01/12/how-to-introduce-semgrep-to-your-organization/?ref=log.rosecurify.com

  • TerraMaster NAS Firmware Extraction to RCE โ€“ Firmware extraction and PHP analysis led to remote code execution on TerraMaster NAS devices, starting from an IoT security research idea. Read More

  • Gemini CLI Silent Code Execution Risk โ€“ A silent attack on Gemini CLI combined improper validation, prompt injection, and misleading UX to execute malicious commands during untrusted code inspection. Read More

  • Critical Base44 Vulnerability Exposes Private Apps โ€“ A flaw in the AI "vibe coding" platform Base44 allowed unauthorized access to users' private applications, identified by Wiz Research. Read More

  • PyPI Phishing Attack Incident Report โ€“ A recent campaign targeted PyPI users via email, prompting awareness and initial details about the attack vector. Read More

๐Ÿ’ป SecGit

  • rb-x/penflow: A visual methodology tracking platform tailored for offensive security assessments

  • Proton's Lumo AI Assistant Prompt โ€“ Defines a cat-like, upbeat AI personality with guidelines for curiosity and respectful user interactions. Explore on GitHub

  • Java RMI Vulnerability Scanner Tool โ€“ Remote-Method-Guesser identifies and exploits vulnerabilities in Java RMI services efficiently. Explore on GitHub

  • Amazon MWAA Remote Code Execution โ€“ Details an RCE vulnerability in Amazon Managed Workflows for Apache Airflow (MWAA). Explore on GitHub

  • S3DNS: Cloud Bucket Discovery Tool โ€“ Acts as a DNS server to identify AWS/GCP/Azure buckets, following CNAMEs and matching patterns during surfing. Explore on GitHub

  • CVE.ICU Project Code Release โ€“ Hosts the source code for the CVE.ICU initiative, though specifics remain sparse from the highlight. Explore on GitHub

  • Pwnat: Firewall/NAT Hole-Punching โ€“ Exploits NAT translation tables to connect clients/servers behind separate NATs without third-party tools. Explore on GitHub

For suggestions and any feedback, please contact: securify@rosecurify.com

0
Subscribe to my newsletter

Read articles from Rosecurify directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Rosecurify
Rosecurify